Merill’s blog
Azure AD Shortcuts
NOTE: Check out https://cmd.ms. The new and improved version of this.
I’m a command line guy and hate having to click to get to various Azure AD pages. Over time I created these shortcuts and thought you might find them helpful.
Here is how it works. Open a new tab and type aka.ms/ad/{command}
Where shortcut is one of the commands below.
| aka.ms | Command | Portal Blade |
|---|---|---|
| aka.ms/ad/ca | ca | Conditional Access |
| aka.ms/ad/pim | pim | Privileged Identity Management |
| aka.ms/ad/users | users | Users |
| aka.ms/ad/groups | groups | Groups |
| aka.ms/ad/devices | devices | Devices |
| aka.ms/ad/apps | apps | Enterprise Applications |
| aka.ms/ad/appreg | appreg | Application Registrations |
| aka.ms/ad/auth | auth | Authentication Methods Policies |
| aka.ms/ad/legacymfa | legacymfa | Legacy MFA |
| aka.ms/ad/guests | guests | Guest Access Settings |
| aka.ms/ad/logs | logs | Sign in Logs |
| aka.ms/ad/xtap | xtap | Cross Tenant Access Settings |
| aka.ms/ad/roles | roles | Azure AD Roles |
| aka.ms/ad/sspr | sspr | Password Reset |
| aka.ms/ad/security | security | Security |
| aka.ms/ad/mfaunblock | mfaunblock | MFA Unblock |
| aka.ms/ad/reviews | reviews | Access Reviews |
| aka.ms/ad/score | score | Secure Score |
| aka.ms/ad/license | license | Licenses |
| aka.ms/ad/synclog | synclog | AAD Connect Sync Errors |
| aka.ms/ad/adfslog | adfslog | ADFS Log |
| aka.ms/ad/consent | consent | Consents and Permissions |
| aka.ms/ad/support | support | Support |
| aka.ms/ad/list | list | List all these shortcuts |
If you liked those here are some of my favourite Identity related shortcuts.
| aka.ms | Page |
|---|---|
| aka.ms/azad | Azure AD Portal |
| aka.ms/sspr | Self Service Password Reset |
| aka.ms/mysecurity | My Security |
| aka.ms/myapps | My Apps |
| aka.ms/my-account | My Account |
| aka.ms/my-groups | My Groups |
| aka.ms/my-access | My Access Packages |
| aka.ms/mystaff | My Access Packages |
| aka.ms/mfasetup | Alternative for My Security |
| aka.ms/ge | Graph Explorer |
| aka.ms/ge | Intune |
Have I missed anything? Have new suggestions? Let me know at twitter.com/merill.
Share on
TwitterGraph PowerShell Conversion Analyzer
Hey folks, I took part in a hackathon last week and built the Graph PowerShell Conversion Analyzer. Hopefully, this will help a bit as you upgrade your AzureAD & MSOnline PowerShell scripts to Graph PowerShell.
It’s very rough right now but I would love to hear your feedback.
Try it out at https://graphpowershell.merill.net
You start by pasting in one of your old scripts that you want to upgrade to Graph PowerShell and clicking the Analyze button.
This will generate a report of all the Azure AD PowerShell and MSOnline commands that were found along with a mapping to its corresponding Graph PowerShell command. The sample generated will try to map the parameters to the new command.
This is where I still need to do a lot more work to make it really useful.
Where possible you also get direct links to both the Graph PowerShell command reference as well as the Graph API reference (which usually has more relevant info).
No more hunting around and searching the docs!
The last bit is where you the community can really help us and each other out. We’ve started an open repository of sample Graph PowerShell scripts at https://aka.ms/graphsamples
We would love to make this the largest collection of Graph PowerShell sample scripts. It’s open to everyone to contribute so please share your scripts (even one-liners).
Let me know what you think. If you have any ideas on how this can be improved I’m all ears!
Share on
TwitterGet-MgUser_List1: Expect simple name=value query, but observe property 'assignedLicenses' of complex type 'AssignedLicense'.
Are you seeing this message when trying to get user license information using the Graph API.
_Expect simple name=value query, but observe property ‘assignedLicenses’ of complex type ‘AssignedLicense’.
❯ Get-MgUser -Filter 'assignedLicenses/$count eq 0'
Get-MgUser_List1: Expect simple name=value query, but observe property 'assignedLicenses' of complex type 'AssignedLicense'.
The fix is quite simple. Set the ConsistencyLevel header to eventual and pass in a variable to store the count of the result set and you are good to go.
❯ Get-MgUser -Filter 'assignedLicenses/$count eq 0' -ConsistencyLevel eventual -CountVariable licensedUserCount -All
Id DisplayName Mail UserPrincipalName
-- ----------- ---- -----------------
1468b68b-8536-4bc5-ab1f-6014175b836d merill-fdo merill-fdo@yopmail.net merill-fdo_yopmail.net#E…
160f8064-a20c-4236-bdf4-3393003e916b Ezra Brand ezra@fdo.net ezra_fdo.net#EXT#@pora.n…
37e5a3d1-f92b-4a12-bb35-91bf80969810 Joshua Sal user2@fakedomain.com user2_fakedomain.com#EXT…
5c8537e4-7d7f-4920-a921-382d91fa53fd Fake Damain user@fakedomain.com user_fakedomain.com#EXT#…
640885de-9652-4fb2-8a87-963cc2f599a0 Chris Green chris.green@yopmail.net chris.green_yopmail.net#…
Share on
TwitterAzure AD Nudge (Authenticator registration campaign) failing to prompt users
Getting users to go to the aka.ms/mysecurityinfo page and set up the Authenticator app for MFA is not an easy task.
Azure AD’s ‘Nudge’ feature allows you to run a Microsoft Authenticator registration campaign that interrupts a user signing in with SMS and nudges them to set up the Authenticator app.
If you set this up but are not seeing users being nudged/prompted with the ‘Improve your sign-ins’ message its most probably because you have a conditional access policy for the ‘Register security information’ page.
The nudge screen will not be displayed if a user’s sign in is in scope of a conditional access policy that blocks access to the “Register security information” page.
Let’s take for example you have a conditional access policy that blocks users from accessing the ‘Register security information’ page over the internet and limits access to your company’s corporate (local area network).
When a user tries signing in over the internet and uses SMS they will not be shown the nudge (Improve your sign-ins) screen.
Let’s say for arguments sake if Azure AD were to send them to the page where they can set up security info. If we allowed the user to set up new auth methods it would bypass your conditional access policy defined above. Alternatively, it wouldn’t be a pleasant experience if we redirected the user to the nudge screen and then showed them a CA policy error when they tried to set up a new auth method.
Instead, we simply avoid showing the nudge prompt if the current sign-in is not in scope for the ‘Register security info’ conditional access policy.
Hope that makes sense.
Share on
TwitterAzureAD Restricted Access - Guest Permission Level
ICYMI We introduced a new guest permission level in Azure AD that restricts what guests can view about other directory objects in your tenant.
When guest access is restricted, guests can view only their own user profile. Permission to view other users isn’t allowed even if the guest is searching by UserPrincipalName or objectId. Restricted access also restricts guest users from seeing the membership of groups they’re in
Here are some before/after experiences for Guests. This is from the My Groups page (accessed from https://aka.ms/myapps ). The guest goes from being able to see the names and email addresses of other guests in the group to the Groups view being disabled for them.
Similarly, guests with restricted access are also blocked from being able to see a list of groups they are members of.
Finally, PowerShell. By default, guests with limited access will be able to get a list of group members and even traverse up the org chart by looking up managers.
Restricted access blocks these commands from being run.
This doc has a neat table summarizing the different access levels. Default user permissions - Azure Active Directory
To learn more about the restricted permission, supported apps and config details see Restrict guest user access permissions - Azure Active Directory
If you want to learn how to restrict PowerShell access for guests while staying with ‘Limited access’, that’s a post for another day.
BTW In Teams
Limited Access = Guests can search any user in the tenant by UPN/email and chat with them.
Restricted Access = Guests can only search and chat with users that are in the team/group(s) they have been invited to. They cannot lookup & chat with other users in the tenant